By: (CISSP, CISA, Security+)

Publication: The Kansas Banker , July 2017

Kansas Banker July 201In the past, the Board has always been expected to make strategic decisions, choosing what was best for the overall success of their institution.  For most institutions, these decisions were made with little information or regard to cybersecurity.   As threats to our information security evolve, so do examiner expectations for the Board of Directors. 

With the release of the FFIEC’s Cybersecurity Assessment Tool in 2015, we saw specific examiner suggestions for improving Board oversight of an institution’s cybersecurity program and posture in their Overview for Chief Executive Officers and Board of Directors. The picture painted throughout all the suggestions provided is that of a Board who understands cyber risks and makes risk-based decisions.  That picture may or may not be an overwhelming shift for your institution, but I think for the vast majority of us, there is room for growth in this area.  For institutions with a large gap their current Board oversight of cybersecurity versus where they need to be, here are a few things to start with:

Read Full Article



Publication: The Community Banker , Summer 2017


The Community Banker Summer 2017A specific type of malware named WannaCry made international headlines in May after achieving an unprecedented infection rate. Using EternalBlue, a recently leaked tool from the US Intelligence community, it installed malicious software that encrypted files then required victims to pay a ransom to restore them. The timing of this tool’s release and subsequent use in such a widespread event has taught – and retaught - network administrators around the globe to revisit the basic lessons of security.

Patching is still king.

Read Full Article


By: (Security+)

Publication: The Kansas Banker , June 2017

The Kansas Banker June 2017When you consider your bank’s security awareness training, what comes to mind? Maybe you think of an hour-long lecture you present (or attend) on an annual basis. Maybe you think of an online program you watched or a lengthy document you read. Whatever may come to mind, it is important to ask the question: How effective is this training?

TD Ameritrade Institutional and the Financial Planning Association Research and Practice Institute published a study in September 2016 describing how advisory firms manage cybersecurity awareness training. The results were not far from what I have come to know from time I have spent with banks. The study showed the vast majority (88%) of respondent firms said they spend two hours or less annually in on-going cybersecurity awareness training. Fifty percent of the same group said they conduct this training semi-annually or annually.

Read Full Article



Publication: Nebraska Banker , March/April 2017

Nebraska Banker March/April 2017

Intrusion Detection Systems (IDS) have been around for over thirty years, dating back to the Intrusion Detection Expert System (IDES) in the mid 1980’s. Intrusion detection technology continued to evolve with the introduction of Host-based, Network-based and Network behavior analysis systems. Additionally, systems capable of blocking malicious traffic, Intrusion Prevention Systems (IPS), originated from IDS.


Intrusion Detection and Prevention Systems (IDPS) traditionally have been hosted on systems dedicated to the task of detecting and responding to malicious network traffic. Over the last several years, security appliances that fill multiple roles such as firewall, VPN, Internet filtering, antivirus, and IDPS have been placed on the market by multiple vendors. These devices, also known by the name Unified Threat Management (UTM), may not always provide true IDPS services since the device may not have adequate system resources or may require additional licenses or hardware modules. This can leave a device owner believing they are protected by and IDPS, when in fact they are not.

Read Full Article


By: (Network+, CISA)

Publication: The Community Banker , Spring 2017


Community Banker Spring 2017In 1982, a Coke machine at Carnegie Mellon University was modified to connect to the Internet and report inventory and temperature status. In 1985, the first alleged use of the term “Internet of Things” was by Peter T. Lewis before a technical panel organized by the FCC and U.S. Department of Commerce Minority Enterprise Telecommunications Seminars. It is only in recent years, however, that the Internet of Things, or IoT for short, has really taken off and influenced our daily lives.

Read Full Article


By: (Security+)

Publication: The Kansas Banker , March 2017


Kansas Banker March 2017Assessing risk is all about extrapolating meaning from potential. In other words, look at what could happen and consider how those things would affect you. The process can be as complicated or as simple as you choose to make it. At the end of the day, risk assessments are a way to become aware of potential issues and of controls to alleviate those dangers. You do not have to think of every potential scenario. In fact, considering what is common covers the majority of threats.


Read Full Article


By: (ISACA Cybersecurity Fundamentals, CompTIA A+, Security+)

Publication: Colorado Banker , March/April 2017


Colorado Bank Mar/Apr 2017Floods. Hurricanes. Tornadoes. Fire. Power outages. The zombie apocalypse (well, maybe not that one). You don’t have to be in banking to know these threats exist in our world. Although they may not have an exhaustive, board approved Business Continuity Plan ready to go in an emergency, the average person has some awareness that disasters occur and an instinct on what to do:

“The hurricane is projected to make landfall – shutter the windows and head to aunt Martha’s.”

“There’s been a fire – call 911, get out of the building, stop, drop, and roll.”

Elementary, right? What about this one:

Read Full Article



Publication: Nebraska Banker , January/February 2017


Nebraska Banker Jan- Feb 2017There has been a lot of attention on website ADA compliance over the past few months.  Several community banks have received demanding letters from law firms alleging the bank is violating the Americans with Disabilities Act (ADA).  Purportedly these letters claim that unless the bank modifies its website to meet the World Wide Web Consortium’s Web Content Accessibility Guidelines (WCAG), the bank will continue to violate ADA.  So, what does this mean?  Let’s take a look at some common questions banks are asking about ADA compliance.

What is ADA compliance?

Read Full Article



The Kansas Banker Jan 2017

ADA website accessibility is a trending topic in the community banking industry. Why? Recently several financial institutions have received letters threatening lawsuits because banking websites are not “accessible.” The Americans with Disabilities Act (ADA), enacted in 1990, is a civil rights law created to prohibit discrimination against individuals with disabilities. In 2010, the Department of Justice (DOJ) initiated the rulemaking process concerning website accessibility. This process consists of calls for public comments on proposed rules, impact and cost analysis, and finally acceptance into the federal register. Since 2010, the process has been continually delayed. As of right now, finalized rules are expected to be released sometime in 2018, leaving no clear guidelines to follow at the moment. Without these guidelines in place, how can your bank protect itself from opportunistic legal battles while committing to provide an accessible site to your customers? Accessibility policies and vendor management are the answer.

Read Full Article


By: (Security+)

Publication: The Colorado Banker , January/February 2017


The Colorado Banker 2017

If you spend much time with teenagers, you know they use a special version of the English language. A few months ago, I was introduced to the term “on fleek.” Personally, I never liked it, but by the time I worked up enough courage to use the term in a conversation, I was informed, “Alyssa, ‘on fleek’ is so last year. Now, we say ‘lit’.” (Rolling my eyes here.) While both terms can be used to describe something “awesome,” I tell you this to emphasize how difficult it can be to understand another language.

Read Full Article